Cybersecurity has been high on the agenda in recent years, especially among companies and organizations. At the IT level, the leaks have usually already been plugged, but when it comes to OT infrastructure, the risks are still too often underestimated. However, the continuity of business processes and the protection of personal information are crucial. A cybersecurity audit can reveal the areas for improvement. Over the last 10 years, in the field of cybersecurity in buildings, much attention has been paid to the pure IT infrastructure such as computers and printers. However, OT - operational technology - is still too often treated as a stepmother. However, the use of cameras, access control, fire detection and building management systems for cooling and heating that are connected to the network, among others, has increased dramatically. This makes OT infrastructure vulnerable to misuse. A lot of building managers or users are unaware of the potential risks of poor OT protection. For example, access control software contains personal data subject to the GDPR. A poorly secured camera system allows hackers to look around your building. It not only violates the privacy of those who walk around in it, but can also lead to physical break-ins and theft. Hacking the cooling or heating systems can cause a production facility to shut down. And these are just a few examples. Action is taken not only at the technical level but also at the organizational level. This is done according to the principle of Organizational Physical Electronic Notification Measures (OFEM). That OFEM principle can be applied in both the physical and virtual world.
Cybersecurity audit
Together with NVISO Belgium, Ingenium performs cybersecurity audits at companies and organizations. We combine NVISO's expertise on the IT side with our technical knowledge on the OT side. An audit starts with a number of workshops with the client to get to know the building and the techniques better. Extra attention is paid to the critical installations, whose risk of failure will be tested.
Mapping will include:
- How the network is constructed and managed
- what information is easy to obtain and what info can be considered critical
- which rooms with technical equipment are accessible without authorization
- what the login procedures are which data points (for phone or Internet, for example) are easily accessible
- which software applications should be tested to verify that the data is properly protected.
Internal and remote
Not only in the building itself are tests performed. With remote access testing, we see whether technical installations can also be taken over remotely. Among other things, it is important to know:
- Which technical installations are accessible from outside for maintenance by external partners
- Whether authentication is done with fixed passwords or with multifactor authentication.
Possible pain points
The potential pain points encountered in recent office buildings during a cybersecurity audit are:
- The lack of malware detection and a firewall that acts as a good "referee" for the techniques' dataflows
- Technical systems are not secured and freely accessible over the network
- No conclusive password policy which means one can never find out afterwards exactly who did what action
- Personalized dates that are easy to find
- Technical classrooms that are physically accessible to everyone
- No use of encryption
- Lack of security patches
- No proper backup and restore policy
- Login procedure for "remote access" (logging in from outside the corporate network) is often inadequate
Adaptation and retesting
So the problems were in the areas of hardware, software and network construction. Many of the listed security risks were not located outside but inside the building itself. After the audit, in consultation with the customer, we looked at which issues needed to be eliminated and which could be considered an acceptable risk. This is based on risk versus cost. When the necessary adjustments are made, a new test follows to see if the desired result is actually achieved.
The audit in this example clearly showed that numerous risks were present. The growing number of IP devices in the OT world means that extra attention is needed to build the networks in a secure manner.
Could your company or organization also use a cybersecurity audit? Our expert Tim Opsomer would be happy to explain: tim.opsomer@ingenium.be.